KeyOne Certificate Management

• Workflow based
  KeyOne XRA is extremely adaptable to business needs: for user registration processes and for the delivery of digital certificates to users. Its workflow manager provides simple and reliable system configuration for defining what data processing actions are to be included in the registration process and what data the system is to exchange with users, operators and applications.
• CA keys coexistence period management
  KeyOne simplifies the control of the Public Key Infrastructure (PKI) through the automatic management of the Certification Authority Keys. KeyOne supports defining the events to be executed when keys are renewed, to transparently control the maximum validity period of digital certificates and to manage the coexistence of the old Certification Authority (CA) keys (which are used transparently to revoke digital certificates issued by these keys).
• Integration and cost saving
  KeyOne CA and KeyOne XRA can operate as a specialized service component in Service-Oriented Architectures (SOA). Administrators can easily configure the SOAP/XML interface to define which functions are made available as Web services for the corporate applications to request and revoke digital certificates.
  KeyOne XRA wide connectivity potential satisfies the needs to accessing and updating data in directories, databases, Web Services, archives, electronic messaging and hardware devices (e.g., smart card printers).
• Maximum security, control and reliability
  KeyOne CA and KeyOne XRA support defining the roles and events required to operate in compliance with the Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures (CWA14167-1). The system supports FIPS 140-2 level 3 HSMs with M-out-of-N secret sharing schemes that provide the private keys of the CA and RA with the maximum protection guarantees. KeyOne CA v3.0 has achieved CC EAL4+ (ALC_FLR.2) guarantee level. KeyOne CA v4.0 is currently in certification process.
• Complete and scalable
  KeyOne PKI products are designed to manage large volumes of users, digital certificates and multiple CRL distribution points (as required by government infrastructures). The components of the KeyOne family provide a complete solution for advanced PKIs; any registration procedure (KeyOne XRA, KeyOne LXRA and SOAP/WS interface), Validation Authority (KeyOne VA) and Time Stamp Authority (KeyOne TSA) can be incorporated into the system.

KeyOne CA can act as a Root CA, Subordinate CA or Bridge CA. Cross-Certification Environments are also supported. Depending on how it is used, the CA operates in conjunction with the Safelayer KeyOne XRA product or an application that assumes the entity registration functions. KeyOne CA can also operate in conjunction with the KeyOne VA product to provide the digital certificate validation service. The main functions of KeyOne CA are:

• Generate and protect the private keys via the use of cryptographic devices (HSM).
• Automatically manage the life-cycle and the coexistence of the private keys of the CA.
• Manage recognized Registration Authority (RAs) and assign them certification policies.
• Generate the ITU-T X509v3 digital certificates (for users and applications) requested by the RAs.
• Generate and publish lists of revoked and suspended digital certificates (CRLs).
• Report on the status of the digital certificates so the validation service (VA) can publish it via OCSP.
• Allow the secure protection and retrieval of encryption keys (if they become lost).
• Guarantee the secure auditing of the events and actions carried out in the system.

KeyOne XRA operates as a user/application registration service (RA) for requesting the issuing and revocation of digital certificates (in conjunction with KeyOne CA). The system can combine the following registration procedures:

• The face-to-face procedure in which the requesting users are physically present at the register and obtain the digital certificates straight away. With KeyOne LXRA (Local Registration Authority), an easy and simple manual registration system is deployed; it is close to the requesting user and it is centrally managed by KeyOne XRA. The system also includes a complete card management system designed to customize the chip as well as to print the smart cards.  
• The remote procedure in which the request process and the digital certificates issuing are executed remotely. This procedure supports preauthorized requests or requests approved at a later date by a registration authority operator. The approval, renovation and revocation of certificates can be managed from an application that accesses KeyOne XRA (where all the information is centralized) via SOAP/XML.
• In the automatic procedure, the information on the users/applications is retrieved from databases, directories and recognized applications. As the connection with KeyOne XRA y is carried out securely (via HTTPS and SOAP/XML), the functions of the registration system can be invoked remotely (accessible as Web Services) for approving registration requests, renovations and revocations of digital certificates.

In KeyOne, the user, key and certificate life-cycles follow a fully-configurable workflow. This means the default operation of the KeyOne applications—typically of KeyOne CA and KeyOne XRA—can be customized to suit the key management and registration procedures.

The workflow-configurable operations comprise application management (e.g., the issue and renewal of own keys) and the provision of services to third parties (e.g., the approval of certificate requests in KeyOne XRA, the issue and publication of certificates in KeyOne CA).

These tasks can be automated (e.g., the automatic renewal of the TSA or VA own keys), which minimizes the amount of manual procedures and guarantees service continuity. The workflow can be configured for all execution areas:

• Functions (e.g., approve a user, create a certificate request) accessible via SOAP / XML.
• Entities (e.g., user entities, certificate entities).
• Wizards (figure), forms, views or layouts for running the workflow from the graphical interface of the application.
• Integration with external resources (e.g., corporate databases, client portal, reporting tools).
• Automatisms (e.g., sending email notifications, publishing certificates).
• User-interface language resources (e.g., text in the forms, parameter descriptions, error messages).

Figure. User registration and certificate issue flow:

The following figure illustrates a Certification Authority (CA) operated by KeyOne CA and how it interacts with KeyOne (or third party) products to provide registration and publishing options for the status of the digital certificates.

• The registration system can be implemented with KeyOne XRA or a corporate application that acts as the RA (not shown at the figure).
• A directory (LDAP), a Web server or KeyOne VA can be used to publish the status of the digital certificates (using CRLs or OCSP).
• The HSM used for protecting the private keys of the CA is also shown in the figure.

The figure also illustrates a Registration Authority (RA) operated by KeyOne XRA and how it interacts with the different components of the architecture and other KeyOne products (KeyOne CA and KeyOne LXRA) to provide the types of registration procedures supported (face-to-face, remote or authomatic).